India has finally passed a comprehensive data protection law – the Digital Personal Data Protection Act, 2023 (“DPDP Act”). While the DPDP Act replicates many aspects of the EU GDPR, it diverges on a number of important points reflecting both learnings from the operation of the EU GDPR and the need to apply data protection laws within an Indian context.
Overview
The DPDP Act was notified in the Official Gazette on 11 August 2023 and will come into force on a date to be subsequently notified, with different dates being appointed for different provisions. It is largely similar to the Digital Personal Data Protection Bill, 2022, which was released for public comments in November 2022 (discussed here).
The DPDP Act provides the framework for the new data protection regime but will be supplemented by rules to be issued by the Central Government in due course (on 26 prescribed subjects). The Data Protection Board of India (“Board”) will also be established as the adjudicatory body, with the power to determine non-compliance with the DPDP Act/rules and impose penalties.
Therefore, the effect of the DPDP Act will only be clear when the rules are issued and the Board is established and starts to interpret and apply the principle-based obligations under this new law.
The DPDP Act will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which have been India’s data protection framework until now.
More information on the previous framework can be found here.
Scope of the DPDP Act
The DPDP Act is ‘principles-based legislation’ that relies on concepts that are broadly similar to those in the GDPR. It governs data fiduciaries (i.e. data controllers), data processors and data principals (i.e. data subjects).
The DPDP Act is applicable to personal data capable of identifying the data principal, which is either collected digitally or is digitised after it is collected non-digitally. Personal data processed for personal or domestic purposes or aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data principal are excluded from the DPDP Act. Interestingly, and in contrast to the GDPR, personal data made publicly available is also out of scope of the DPDP Act.
The territoriality provisions are also similar to the GDPR. The DPDP Act is applicable to data which is processed within Indian territory or, if processed outside, is in connection with any activity relating to the offering of goods and services to individuals within India. However, the DPDP Act does not apply to entities outside India that monitor the behaviour of data subjects within India.
No concept of special category personal data
Unlike the GDPR, the DPDP Act applies uniformly to all types of digital personal data. There are no additional controls on processing sensitive personal data (as identified under the SPDI Rules) or critical personal data (as was proposed in an earlier iteration of the draft data protection law).
This is different from the GDPR, which includes “special categories of personal data” (personal data in relation to racial/ethnic origin, political opinions, religious beliefs, sexual orientation or genetic, biometric or health data) that can only be processed for specified reasons.
Purpose, notice and consent
The DPDP Act contains a more limited concept of privacy notices. Where a data fiduciary needs to rely on consent to process personal data, that consent should be free, specific, informed, unconditional and unambiguous. Companies should seek such consent by way of a clear and itemised notice and request for consent, to be made available in all the 22 languages mentioned in the 8th schedule of the Indian Constitution. The contents of that notice may be further elaborated in subsequent rules but based on the DPDP Act it is unlikely to need details of any data protection officer, further recipients of the personal data, period of retention, etc. as needed under the GDPR.
Consent is not aways needed and data fiduciaries may also process personal data for certain ‘legitimate uses’. This includes processing for:
- specified purposes for which the data principal has voluntarily provided her/his personal data, and has not indicated her/his objection to use such personal data for that purpose;
- fulfilment of any legal/judicial obligations of a specified nature;
- medical emergencies and health services, breakdown of public order; and
- employment.
The provisions of consent (and certain other obligations) will also not apply to data fiduciaries when processing is necessary for mergers, demergers and other schemes and for assessing financial liabilities in case of payment defaults (among other things).
Categorisation of data fiduciaries
A unique feature of the DPDP Act, data fiduciaries have been classified into different brackets on the basis of volume and sensitivity of the personal data (and other prescribed criteria). Organisations routinely dealing with large volumes of individual personal data will be classified as significant data fiduciaries and have additional obligations such as appointing a data protection officer and an independent data auditor, and conducting data protection impact assessments.
On the other hand, small-sized data fiduciaries, including start-ups, can be exempted by the Indian Government from certain obligations such as notice, ensuring accuracy, completeness and erasure of personal data and ensuring data principals’ right to access information.
Data breach and breach notifications
Data fiduciaries are required to employ reasonable security safeguards to prevent personal data breaches.
In addition, all personal data breaches are mandatorily reportable to the Board and, in a first in India, to affected data principals. The timeline for reporting a data breach under the DPDP Act is expected to be clarified by way of rules.
This requirement is different from the GDPR, which requires data controllers to notify risky breaches to the relevant supervisory authority and high risk breaches to data subjects. The purpose of requiring notification of all personal data breaches without any threshold is unclear – while individuals may like to be informed of the breach, notification of all personal data breaches is likely to cause information overload and unnecessary alarm. Notification of individuals can also be costly both in terms of sending out the initial notification and then dealing with questions from affected data principals.
Additionally, the mandatory reporting of data breaches to the Board creates a duplicate obligation on companies, who are currently already mandated to report breaches to the Indian Computer Emergency Response Team, the nodal agency to address cyber incidents under the IT Act, within six hours. It is hoped that this notification obligation will be further streamlined.
Children’s personal data
Parental consent must be obtained when processing data of all minors (defined as those under 18 years of age). There are additional restrictions on the usage of such data.
The age of majority is different in the GDPR, which states that consent from a child aged under 16 years to use online services is only valid if authorised by a parent (that age can be reduced to 13 in any national legislation). The special rules for children also only apply where the legal basis for processing is consent and do not necessarily foreclose reliance on other legal bases.
Rights and duties of data principals
Data principals have the right to access information, nomination, correction, completion, updating and erasure and grievance redressal. One of the major innovations under the GDPR, the right of data portability, is missing, possibly reflecting the limited take up of that right within the EU.
Unlike the GDPR, the DPDP Act also prescribes duties for data principals, with a provision on penalties for non-compliance with these duties. In particular, data principals must not impersonate another person, not supress material information, furnish only verifiably authentic information and not make frivolous complaints.
Data localisation and cross-border data transfers
The DPDP Act allows for cross-border transfers to all countries unless specifically restricted by the Indian Government. This provides a much simpler approach to international transfers compared to the complex matrix of adequacy, SCCs, BCRs and TIAs currently in placed under the GDPR.
Powers of the State
Disclosure of personal data by data fiduciaries to the State/agents of the State under a legal obligation is a ‘legitimate use’, not requiring consent of or intimation to concerned data principals. Further, the State/agents of the State themselves are exempted from seeking consent (and other obligations under the DPDP Act, including that of erasure of personal data in its records) while processing personal data, which is for the performance of any legal function, is in the interest of security, sovereignty and integrity of India or is to maintain public order. This broad exemption is not necessarily unexpected but is arguably unhelpful to any EU exporter conducting a Schrems II transfer impact assessment for data transfers to India.
Separately, the Indian government is responsible for the appointment of the members (including the Chairperson) of the Board, the supervisory and adjudicatory authority under the DPDP Act responsible for ensuring adequate protection of personal data.
Penalties
Unlike the GDPR, penalties for breaches and non-compliance of the DPDP Act are turnover agnostic, with the maximum penalty for different specified offences ranging from INR 50 crores to 250 crores (approximately Euro 5-25m). Unlike its previous iterations, the DPDP Act does not prescribe a maximum penalty that can be levied on a person where there are multiple breaches (for e.g. a failure to take reasonable security safeguards combined with a failure to notify the Board of a data breach) and instead prescribes penalties for each offence, which could then be aggregated while determining the maximum penalty that applies.
While determining the applicable penalty, the Board will consider factors such as the: (i) nature, gravity and duration of the breach; (ii) type and nature of the affected personal data; (iii) amounts of gain or loss realised; and (iv) mitigating actions.
What next?
The DPDP Act is a major landmark as the first comprehensive law for the protection of digital personal data in India. Companies should start considering how to comply with the obligations of the DPDP Act – an established GDPR compliance programme is a great place to start from but the requirements of the DPDP Act are different in some respects.
Companies should revisit, and revise (to the extent necessary), their existing documentation (privacy policies, notices, consent forms and other user interfaces) to comply with the higher compliance burdens set out under the DPDP Act/rules, as soon as the DPDP Act is in effect and thereafter on an ongoing basis. For processing that has been consented to before the DPDP Act comes into force, data fiduciaries will be required to give to data principals information such as the purpose with which their personal data is being processed, the manner in which data principals may exercise their rights and the manner of making a complaint to the Board, as soon as practicable.
Organisations which are likely to be classified as significant data fiduciaries have a higher compliance burden and should therefore be particularly focused on reviewing their data privacy practices to ensure compliance with the DPDP Act as seamlessly as possible.
Please see here for a detailed article on the summary of the key provisions of the DPDP Act.
For further information, please contact:
Georgina Kon, Partner, Linklaters.
georgina.kon@linklaters.com